On Sat, 29 Jul 2006 10:18 am, John Andersen wrote:
SLES9 is an enterprise class server, but SuseFirewall is a user class firewall tool.
Susefirewall is not a user class firewall tool, sorry.
Oops, didn't mean to offend...
But it is missing too many features for production use in large shops in MY opinion, and configuration is sort of mysterious.
Those features it does have are sort of hard to figure out, but I do use it for workstations.
Largely I'm happy with Susefirewall2 (at least the 9.3 version) A couple of things though: How to get it to log to /var/log/firewall instead of /var/log/messages? /var/log/mess gets much too messy And I tried to get rate limiting on SSH connections working to cut the brute force SSH scanning, but this didn't work within Susefirewall2. # # /etc/sysconfig/Susefirewall2-custom # ########################################## # Rate limit brute force SSH attacks, rules by Andrew Pollock # # # # http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks # #-----------------------------------------------------------------------# # First whitelist a few hosts iptables -N SSH_WHITELIST iptables -A SSH_WHITELIST -s susejam.cbf.csiro.au -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s bookreading.net -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s alianet.alia.org.au -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s flat.alia.org.au -m recent --remove --name SSH -j ACCEPT # Then implement the "recent" based filter iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 6 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 3600 --hitcount 36 --rttl --name SSH -j DROP -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166 No matter how much you pay for software, you always get less than you hoped. Unless you pay nothing, then you get more.